"The WAV file is a valid audio file. It passes MIME-type checks. But the audio frame data contains a base64-encoded payload. Decode the frames, take the first 8 bytes as the XOR key, XOR the rest, and you have your executable or Python script."
"All the exfiltrated data is encrypted using asymmetric encryption (RSA), and the encoded public key is the same that was used in previous TeamPCP attacks, such as the LiteLLM PyPI package compromise."
"It is unknown at this point how the library was compromised, but it is likely a direct result of each of TeamPCP's recent attacks on the open source ecosystems."
The Telnyx Python SDK was targeted by TeamPCP in a supply chain attack, with malicious versions 4.87.1 and 4.87.2 uploaded to PyPI. These versions contained a WAV file that executed harmful scripts on Windows, macOS, and Linux systems. The payload exfiltrated session keys using asymmetric encryption. Users of the compromised SDK are advised to consider their systems compromised and to rotate all sensitive credentials. The attack is part of a broader campaign affecting various open source software ecosystems.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]